Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Burp Suiteの便利な機能でバグバウンティ / Burp Suite's useful ...
Search
no1zy
March 11, 2019
5
1.7k
Burp Suiteの便利な機能でバグバウンティ / Burp Suite's useful function
Burp Suite Japan LT Carnivalでの発表資料
no1zy
March 11, 2019
Tweet
Share
More Decks by no1zy
See All by no1zy
バグバウンティ入門してみた /Getting started with Bug Bounty
no1zy
14
4.8k
Featured
See All Featured
What’s in a name? Adding method to the madness
productmarketing
PRO
23
3.7k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
18
1.2k
GraphQLの誤解/rethinking-graphql
sonatard
72
11k
A Tale of Four Properties
chriscoyier
160
23k
Become a Pro
speakerdeck
PRO
29
5.5k
How to train your dragon (web standard)
notwaldorf
96
6.2k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
30
9.7k
VelocityConf: Rendering Performance Case Studies
addyosmani
332
24k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
188
55k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
27k
Documentation Writing (for coders)
carmenintech
75
5k
How to Ace a Technical Interview
jacobian
280
23k
Transcript
Burp SuiteͷศརͳػೳͰ όάόϯςΟ No1zy
ࣗݾհ • twitter: @no1zy_sec • ใܥઐֶੜ • ৽ถόάϋϯλʔ • ڈͷ֫ಘใۚ૯ֹ
612ສԁ
όάϋϯλʔBurp Suite͕େ͖ The 2019 Hacker Report
Կ͕ศརʁ • Web Penetrationʹඞཁͳػೳ͕ॆ࣮͍ͯ͠Δ • Pro൛Ͱར༻Ͱ͖Δػೳ͕ڧྗ
հ͢Δศརػೳ 1. Burp Collaborator client 2. Find Script 3. Analyze
target શͯPro൛ͷΈͰར༻Ͱ͖Δ
1. Burp Collaborator client
Burp Collaborator client • ֎෦ͷͪड͚αʔόʔͱͯ͠ͷׂΛ࣋ͭ ػೳ • Out-of-boundͳ௨৴͕ൃੜ͢Δ߈ܸΛൃݟ͢ Δͱ͖ʹ༗ޮ •
DNS, HTTP/HTTPS, STMP/SMTPSʹରԠ
͍ํ 1. Burp > Burp Collaborator clientΛΫϦοΫ
͍ํ 2. Copy to clipboardΛΫϦοΫ
͍ํ $ curl http://fn6i69eh10k070ymmdjzeicppgv6jv.burpcollaborator.net ଓςετ
͍ํ • ϦΫΤετΛ֬ೝ͢Δ
SSRFͷςετྫ GitLabͷϦϙδτϦΠϯϙʔτػೳ
SSRFͷςετྫ ίϯςϯπΛऔಘ͢ΔΑ͏ͳϦΫΤετ͕ ൃੜ͢ΔػೳɺSSRF͕Մೳͳ߹͕͋Δ
http://127.0.0.1:22 SSRF Payload
SSRFͷςετྫ Ϩεϙϯε
http://127.0.0.1:4444 SSRF Payload
SSRFͷςετྫ Ϩεϙϯε
ΤϥʔϝοηʔδͷࠩҟΛ ར༻ͯ͠ϙʔτεΩϟϯ͕Մೳ
None
2. Find Script
Find Script • JavaScriptϑΝΠϧΛऩू͢ΔతͰ༻͢Δ • APIΤϯυϙΠϯτͷൃݟɺAPIΩʔͳͲͷػ ີใɺ੬ऑੑʹͳΓಘΔίʔυͷൃݟͳͲ ʹཱͯΔ͜ͱ͕Ͱ͖Δ
͍ํ 1. Engagement tools > Find scriptsΛΫϦοΫ ͏s
͍ํ • JavaScriptϑΝΠϧ͕Ϧετ͞ΕΔ
͍ํ • Export scriptsͰϑΝΠϧʹநग़Ͱ͖Δ
APIΤϯυϙΠϯτͷಛఆ 1. JavaScriptίʔυ͕ଘࡏ͢ΔURLΛऩू 2. JSParserͳͲͷπʔϧΛ༻͍ͯAPIΤϯυϙ ΠϯτΛಛఆ͢Δ
JSParser
1. JavaScriptίʔυ͕ଘࡏ͢ΔURLΛऩू 1. Find ScriptͰURLΛϦετ͢Δ 2. Copy selected URLsΛΫϦοΫ
HistoryͷϑΟϧλϦϯάػೳͰ༻Մೳ 1. Proxy > History > ϑΟϧλʔઃఆΛ։͘ 2. Show only
ʹνΣοΫ͠ js ͱೖྗ
HistoryͷϑΟϧλϦϯάػೳͰ༻Մೳ 3. ΞΠςϜΛશબ͢Δ
HistoryͷϑΟϧλϦϯάػೳͰ༻Մೳ 4. Copy URLsΛΫϦοΫ
2. APIΤϯυϙΠϯτΛಛఆ͢Δ 1. ίϐʔͨ͠URLΛషΓ͚ 2. JSParseΛΫϦοΫ
৽ͨͳϦιʔεΛಛఆ͢Δ͜ͱͰ੬ऑੑΛൃݟ Ͱ͖Δ֬Λ্͛Δ 2. APIΤϯυϙΠϯτΛಛఆ͢Δ
3. Analyze target
Analyze target • Ͳͷύϥϝʔλ͕Կճ༻͞Ε͍ͯΔ͔Ѳ Ͱ͖Δ • ੬ऑੑͷԣల։ύϥϝʔλϕʔεͰ੬ऑੑ Λ୳͍ͨ࣌͠ʹ༗ޮͳ߹͕͋Δ
͍ํ 1. Engagement tools > Analyze target ΛΫϦοΫ
͍ํ ղੳ݁ՌΛ֬ೝ͢Δ
Happy Hunting!